impossible differential cryptanalysis on deoxys-bc-256

Deoxys is a final-round candidate of the caesar competition. deoxys is built upon an internal tweakable block cipher deoxys-bc, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. this paper presents the first impossible differential cryptanalysis of deoxys-bc-256 which is used in deoxys as an internal tweakable block cipher. first, we find a 4.5-round id characteristic by utilizing a miss-in-the-middle-approach. we then present several cryptanalysis based upon the 4.5 rounds distinguisher against round-reduced deoxys-bc-256 in both single-key and related-key settings. our contributions include impossible differential attacks on up to 8-round deoxys-bc-256 in the single-key model. our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a related-key related-tweak rectangle attack presented at fse 2018, but requires a lower memory complexity with an equal time complexity.